You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Good afternoon all..I too have been subjected to the misery of Aurora. anyway, to the matter in hand.I browsed your forums and read topic 24569, which explained the necessary steps to enable me to remove this infection.All the downloads (ewido,nailfix.zip and hijackthis) were completed and installed.Restarted in safemode and ran nailfix.cmd.but.. according to the post i read it should have run briefly and then cleared, however i got the message"nailfix.exe is not recognised as an internal or external command, operable program or batch file""could not find C:\Windows\nail.exe""could not find C:\Windows\system32\DrPMon.dll"I ignored this and then got a popup entitled "16-bit MS DOS subsytem"The contents of the popup read:"C\WINDOWS\System32\cmd.exe""C\WINDOWS\System32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft applications choose 'close' to terminate the application"again i ignored it and it went away.I then ran ewido and it duly did it's thing, then I ran hijack this and below is the log generated:

Click on "Proceed"
Click on "Scan Now"
Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
Select "Search for low-risk threats"
Run the scanner using the Full Scan (Perform full system scan) mode.
When the scan has completed, select Next.
In the Scanning Results window, select the "Scan Summary" tab.
Check the box next to every "target family" for removal.
Click "Next", Click "OK".

Reboot your computer again

Run a second scan (With Ad-aware & VX2 Cleaner) to make sure the files have been removed from your computer

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, go to -> Control Panel -> Add/Remove programs and uninstall the following instances if present:

SurfSideKick 3SurfSideKick

Now, run a scan with HijackThis and check the following objects for removal if present:

Hit a couple of snags:First off, My PC took ages to run Ewido., when it did, it wouldn't update. It just sat there for ages and I had to close it as it was not responding. So I unnstalled it and then downloaded the version you described, I didn't install the guard and by that assumed that the download would have the latest updates.

Second, I ran Hijack this in safemode, ran Hijackthis (no surfsidekick files present, - huzzah!!) and duly highlighted the corresponding files from the list you gave me and "Fixed Checked" them. I then got this error message:

Please email me at merijn@spywareinfo.com, reporting the following:* What you were trying to fix when the error occurred, if applicable* How you can reproduce the error* A complete HijackThis scan log, if possible

This message has been copied to your clipboard.Click OK to continue the rest of the scan.

]I continued the fix process then re-opened Hijack this and performed a scan again. Upon examination 2 files were not removed, so i rechecked them and fixed them and got the same message, however further examination revealed only 1 file was left, this being:

O20 - AppInit_DLLs: repairs303169545.dll

proceeding onward I exites all and then removed the ssk files present, but again on trying to run Ewido, it refused to start up and again was not responding.

This scan might take around 3+ hours to finish when set to scan everything.I need you to run MWav by double-clicking on mwav.exe.Put a check next to the below items before scanning:

Memory

Startup Folders

Drive - All Local Drives

Folder - then click "browse" to change the directory to C: (default is C:\Windows)

Registry

System Folders

Services

Include Sub-Directory

Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now, run the cleaner again, by checking all under Main -- clicking Empty Selected, it will clean whats left.

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a fresh HijackThis log.

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

After reboot, go to -> Control Panel -> Add/Remove programs and uninstall the following entry if present:

Hi Rawe.Again followed your instructions to the T and all went well except that:Killbox wouldn't except the path "C:\Documents and Settings\Kath\setup.exe"when i executed the paste from clipboard function.I tried several times, gave up, deleted and rebooted.Once rebooted i then highlighted the "C:\Documents and Settings\Kath\setup.exe" path again and just pasted it in.When I tried to delete it however i got the "PendingFileRenameOperations prompt"so as far as i'm aware it's still there ??Anyway, the rest went fine and here's the latest hijackthis log.

Launch Ewido, there should be an icon on your desktop, double-click it.

The program will now open to the main screen.

When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.

Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.Ewido manual updates

==

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

==

Please run a scan with Ewido:

Click on scanner

Click on Complete System Scan and the scan will begin.

You will be prompted to clean the first infection.

Select "Perform action on all infections", then proceed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report.

Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)

Close Ewido Anti-Malware.

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log.